What CrowdStrike’s Own 10-K Says About Catching a Breach — Including a Vendor’s

Even the companies that sell breach detection have to disclose how they detect breaches against themselves. CrowdStrike Holdings (NASDAQ: CRWD) filed its fiscal-2026 10-K on March 5, 2026, and its Item 1C cybersecurity section describes a process for identifying the source of a threat “including whether such cybersecurity threat or incident is associated with a third-party vendor or service provider.”

That clause is more revealing than it looks. The SEC’s cyber rule asks registrants to describe processes for assessing, identifying, and managing material risks from cybersecurity threats — and the explicit call-out of third-party vendors reflects where breaches now originate. Supply-chain and vendor compromise has become the dominant intrusion vector, and the risk-management disclosures are catching up to that reality.

For a defender, the framing is a useful template. CrowdStrike describes a sequence — identify the source, determine third-party involvement, assess severity and risk — that maps to a mature triage process. The fact that a security vendor codifies vendor-involvement as a first-order question in its own 10-K is a signal that organizations should treat “was a vendor involved?” as an early branch in incident response, not an afterthought.

The continuity across years matters too. Similar third-party-vendor language appears in CrowdStrike’s prior annual reports, indicating a stable, deliberate risk-management framework rather than reactive boilerplate. Item 1C rewards exactly this: a description of process and governance, not a recitation of incidents the company would rather not discuss.

The reader’s takeaway is to use Item 1C sections as a benchmark. When a leading EDR vendor structures its disclosed process around third-party threat attribution, that’s a defensible standard against which to read other companies’ thinner Item 1C language. The primary record is at sec.gov, surfaced through EdgarBeast, the SEC filing data API and evidence index — and a 10-K’s cybersecurity section is often the clearest public statement a company makes about how it actually defends itself.